Watchlist¶

The Watchlist feature provides continuous monitoring of suspicious domains with automated change detection and alerting. When you identify a potentially malicious domain through alerts or search, add it to your watchlist for daily monitoring, change tracking, and email notifications.

Table of Contents¶

• Adding Domains
• Monitored Data
• Viewing Your Watchlist
• Change Detection
• Email Notifications
• Filtering and Search
• Managing Watchlist
• Use Cases
• API Access
• Troubleshooting
• Limits and Quotas

Adding Domains¶

From Alert Events¶

Add domains directly from Alert Events:

1. Navigate to Alert Events
2. Review triggered alerts
3. Click "Watchlist" button on the suspicious domain row
4. Domain is automatically added with alert context

The system automatically populates: - Domain name - Alert event reference (linked for future reference) - Monitoring reason: [YYYY-MM-DD] Added to watchlist from alert event (keyword: <matched_keyword>)

Example automated reasons:

[2025-12-25] Added to watchlist from alert event (keyword: paypal)
[2025-12-25] Added to watchlist from alert event (keyword: microsoft-login)

Manual Addition¶

Add domains manually from the Watchlist page:

1. Navigate to Watchlist
2. Click "Create" button
3. Select or enter the domain name
4. Provide custom monitoring reason
5. Click "Save" to confirm

Example custom reasons for manual monitoring: - "Potential PayPal phishing site - exact brand match" - "Typosquatting attempt on company domain" - "Suspicious DNS records point to known phishing infrastructure" - "Domain registered same day as phishing campaign detected"

Monitored Data¶

HTTP/HTTPS Status¶

Real-time status monitoring for both protocols with color-coded indicators:

Status Display: Each domain shows either HTTPS or HTTP status (HTTPS preferred when available) with the protocol label in the chip.

DNS Records¶

Comprehensive DNS monitoring tracks all record types:

Change Detection: The system automatically detects when DNS records are added, removed, or modified. Changes are tracked with timestamp and old vs. new values.

Significance Indicators: - Nameserver changes often indicate hosting provider switches or ownership transfer - New A records reveal infrastructure changes or site activation - MX record additions suggest the domain is being configured to send email (common in phishing)

WHOIS Information¶

Registrar and registration details tracking:

Automated Detection: Registrar changes trigger high-severity alerts as they may indicate ownership transfer or domain hijacking.

SSL/TLS Certificates¶

Certificate monitoring and security posture tracking:

Security Implications: - New certificates on previously inactive domains suggest site activation - Legitimate CAs (Let's Encrypt) are commonly used by phishers due to free issuance - Expired certificates may indicate site abandonment

Viewing Your Watchlist¶

Navigate to Watchlist to view all monitored domains.

Watchlist Table Columns¶

Expand Panel¶

Click the expand arrow on any row to view detailed information:

Watchlist Reason Section¶

Displays your original reason for monitoring this domain, preserving full context and multi-line notes.

Changes Detected Section¶

Complete timeline of all detected changes with:

• Change Type Chips: Color-coded badges (DNS Change, Registrar Changed, SSL Changed, etc.)
• Timestamps: ISO format (YYYY-MM-DD HH:MM:SS) for precise tracking
• Old vs. New Comparison: Side-by-side display showing:
• Previous value (red border)
• Arrow indicating direction of change
• Current value (green border)

Supported Change Types:

1. DNS Changes
2. Shows added and removed records per record type

3. Example: A Record: 192.0.2.100 → 198.51.100.50

4. Registrar Changes

5. Old and new registrar names

6. Example: GoDaddy → Namecheap

7. Nameserver Changes

8. Lists removed and added nameservers

9. Example: ns1.example.com → ns1.cloudflare.com

10. HTTP Status Changes

11. Protocol-specific status changes (HTTP and HTTPS tracked separately)

12. Example: HTTP Status: 200 → 404

13. SSL Certificate Changes

14. Issuer and expiry date changes

15. Example: SSL Issuer: Let's Encrypt → DigiCert

16. Keyword Detection

17. When monitored keywords appear on the page

18. Shows keyword and content snippet in green highlighted box

19. New Domain Registration

20. Initial registration event with registration date
21. Displayed in blue highlighted box

Change Detection¶

Automated Monitoring¶

The system performs daily snapshots and change detection:

1. Daily Snapshots: Each domain receives one snapshot per day
2. Change Comparison: Current snapshot compared against previous snapshot
3. Event Creation: Detected changes create DomainChangeEvent records
4. Multi-Type Detection: Runs multiple detectors (DNS, Registrar, Nameserver, HTTP, SSL)

Change Event Storage¶

Each change event includes: - Change Type: Category of change (dns_change, registrar_change, etc.) - Detected At: Precise timestamp of detection - Previous Snapshot: Reference to old state - Current Snapshot: Reference to new state - Change Details: Structured JSON with specific old/new values - Notification Status: Whether user has been notified

Change Details Structure¶

Example change details for different types:

DNS Change:

{
  "record_changes": {
    "A": {
      "removed": ["192.0.2.100"],
      "added": ["198.51.100.50"]
    }
  },
  "summary": "DNS records changed: A"
}

Registrar Change:

{
  "old_registrar": "GoDaddy",
  "new_registrar": "Namecheap",
  "summary": "Registrar changed from GoDaddy to Namecheap"
}

Nameserver Change:

{
  "added": ["ns1.cloudflare.com", "ns2.cloudflare.com"],
  "removed": ["ns1.example.com", "ns2.example.com"],
  "summary": "Nameservers changed"
}

HTTP Status Change:

{
  "changes": {
    "http": {"old": 200, "new": 404},
    "https": {"old": null, "new": 200}
  },
  "summary": "HTTP status changed: HTTP: 200 → 404, HTTPS: unreachable → 200"
}

Email Notifications¶

Daily Alert Emails¶

Watchlist changes are included in your daily alert digest emails when domains have detected changes.

Email Format:

WATCHLIST CHANGES
============================================
3 watched domains have detected changes

Domains in your watchlist have been updated. Review the changes
to ensure continued monitoring effectiveness.

[View Watchlist Changes Button]

When Notifications Are Sent: - Included in daily alert emails if you have want_email=True in Alert Preferences - Only shown when watchlist_changes_count > 0 for that day - Links directly to filtered watchlist view

Email Link Behavior: - Clicking "View Watchlist Changes" opens the watchlist page - Automatically filters to show only domains with changes on that date - URL format: /dashboard/watchlist/#/watchlist?filter={"has_changes":"true","date":"YYYY-MM-DD"}

Notification Preferences¶

Configure email delivery in Alert Preferences:

• Enable/Disable: Toggle want_email setting
• Custom Destination: Override default email address
• Consolidated Digest: Watchlist changes included with alert events

Filtering and Search¶

Available Filters¶

The watchlist supports query-based filtering:

Has Changes Filter¶

Shows only domains that have detected changes.

Usage: - Input: Any non-empty value (e.g., "true", "yes", "1") - Effect: Filters to domains with at least one DomainChangeEvent - API Parameter: ?has_changes=true

Changes on Date Filter¶

Shows only domains with changes detected on a specific date.

Usage: - Input: Date in YYYY-MM-DD format (e.g., "2025-12-25") - Effect: Filters to domains with changes on that exact date - API Parameter: ?date=2025-12-25

Combined Filtering: Both filters can be used simultaneously:

?has_changes=true&date=2025-12-25

Filter UI¶

Filters appear in the watchlist interface:

• Has Changes: Always visible (alwaysOn)
• Changes on Date: Collapsible filter input
• Clear Filters: Remove all active filters with one click

URL-Based Filtering¶

Email links and bookmarks can include pre-applied filters:

Example URLs:

# Show all domains with changes
/dashboard/watchlist/#/watchlist?filter={"has_changes":"true"}

# Show domains with changes on specific date
/dashboard/watchlist/#/watchlist?filter={"date":"2025-12-25"}

# Combined (from email notifications)
/dashboard/watchlist/#/watchlist?filter={"has_changes":"true","date":"2025-12-25"}

URL Encoding: Filters use URL-encoded JSON format compatible with React-Admin.

Managing Watchlist¶

Removing Domains¶

Via UI: 1. Locate the domain in your watchlist 2. Click the Delete icon (trash can) in the Actions column 3. Confirm removal in the notification

Via API:

DELETE /domains/api/watchlist/{id}/

When to Remove: - Domain has been taken down and confirmed offline - Investigation complete and proven legitimate - Domain expired or deleted - False positive - not actually suspicious

Note: Removal is permanent. Historical snapshots and change events are deleted.

Deactivation (Soft Delete)¶

Alternative to removal for temporary pausing:

Via API:

POST /domains/api/watchlist/{id}/deactivate/

Benefits: - Preserves historical data - Can be reactivated later - Excluded from active monitoring - Not shown in watchlist view (filtered by is_active=True)

Reactivation¶

Resume monitoring of deactivated domains:

Via API:

POST /domains/api/watchlist/{id}/activate/

Alert Event Links¶

Each watchlist entry can reference its originating alert:

• Alert Link Icon: Orange notification bell icon in dedicated column
• Conditional Display: Only shown when alert_event field is populated
• Click Behavior: Navigates to alert event detail page (/alert-events/{id}/show)
• Purpose: Maintains audit trail of why domain was added

Use Cases¶

Phishing Investigation¶

Scenario: Alert triggered for domain paypa1-secure.com

Workflow: 1. Review alert event details and screenshot 2. Click "Watchlist" button to add domain (auto-populates reason) 3. Monitor daily for: - Site going online (HTTP status changes) - Email server configuration (MX record additions) - SSL certificate issuance (HTTPS activation) - Content changes (screenshot comparisons) 4. Report to registrar when confirmed malicious 5. Continue monitoring to verify takedown success

Expected Timeline: - Day 1: Domain registered, DNS only - Day 2-3: Nameservers added, A records configured - Day 4: SSL certificate issued (HTTPS active) - Day 5: MX records added (ready to send phishing emails) - Day 6-7: Report to registrar - Day 8-14: Monitor for takedown

Brand Protection Campaign¶

Scenario: Discovered 20 domains during alert review using your brand name

Workflow: 1. Add all suspicious domains to watchlist from alert events 2. Review "Last Changes" column for recent activity 3. Filter by "Has Changes" to prioritize active threats 4. Expand domains to identify patterns: - Common nameservers (shared infrastructure) - Same IP addresses (phishing campaign) - Similar SSL certificates (automated setup) 5. Group findings by registrar for bulk reporting 6. Track takedown success rate via status monitoring

Analysis Techniques: - Sort by "Added" date to find coordinated campaigns - Compare DNS records across domains for infrastructure links - Track which registrars respond fastest to takedown requests

Infrastructure Tracking¶

Scenario: Identified suspicious IP range 198.51.100.0/24 used in phishing

Workflow: 1. Search domain database for domains using that IP range 2. Add all matches to watchlist 3. Monitor for: - Additional domains added to same IP (campaign expansion) - Infrastructure provider changes (migration to avoid detection) - Coordinated takedowns (multiple domains offline simultaneously) 4. Filter by "Changes on Date" to identify coordinated actions 5. Share IP range and domain list with security community

Expected Insights: - Identify attacker's preferred hosting providers - Discover registration patterns (registrar, nameservers) - Track campaign lifecycle (setup → active → takedown)

API Access¶

List Watchlist Entries¶

Endpoint: GET /domains/api/watchlist/

Query Parameters: - has_changes: Filter to entries with change events (any non-empty value) - date: Filter to entries with changes on specific date (YYYY-MM-DD)

Example Requests:

# Get all active watchlist entries
GET /domains/api/watchlist/

# Get entries with changes
GET /domains/api/watchlist/?has_changes=true

# Get entries with changes on specific date
GET /domains/api/watchlist/?date=2025-12-25

# Combined filters
GET /domains/api/watchlist/?has_changes=true&date=2025-12-25

Response Fields:

{
  "id": 123,
  "domain": 456,
  "domain_name": "example-phishing.com",
  "domain_details": {
    "id": 456,
    "name": "example-phishing.com",
    "registrar_name": "GoDaddy",
    "http_status": 200,
    "https_status": 200,
    "dns_records": { "A": [...], "MX": [...] }
  },
  "added_at": "2025-12-20T08:15:30Z",
  "reason": "[2025-12-20] Added from alert (keyword: paypal)",
  "is_active": true,
  "alert_event": 789,
  "latest_changes": [
    {
      "id": 101,
      "change_type": "dns_change",
      "detected_at": "2025-12-21T14:30:00Z",
      "change_details": {
        "record_changes": {
          "A": {"removed": ["192.0.2.100"], "added": ["198.51.100.50"]}
        }
      },
      "is_notified": true,
      "notified_at": "2025-12-22T09:00:00Z"
    }
  ]
}

Add from Alert Event¶

Endpoint: POST /domains/api/watchlist/add_from_alert/

Request Body:

{
  "domain_id": 456,
  "alert_event_id": 789,
  "reason": "[2025-12-25] Suspected phishing - brand impersonation"
}

Response: - 201 Created: Successfully added to watchlist - 200 OK: Already in watchlist, reactivated if previously deactivated - 400 Bad Request: Already in active watchlist or invalid input - 404 Not Found: Domain doesn't exist

Create Watchlist Entry¶

Endpoint: POST /domains/api/watchlist/

Request Body:

{
  "domain": 456,
  "reason": "Manual addition - suspicious registration pattern"
}

Remove from Watchlist¶

Endpoint: DELETE /domains/api/watchlist/{id}/

Response: 204 No Content

Deactivate Entry¶

Endpoint: POST /domains/api/watchlist/{id}/deactivate/

Response:

{
  "status": "deactivated"
}

Reactivate Entry¶

Endpoint: POST /domains/api/watchlist/{id}/activate/

Response:

{
  "status": "activated"
}

Troubleshooting¶

Domain Not Updating¶

Symptoms: Domain shows stale data or hasn't refreshed in 24+ hours

Diagnosis Steps: 1. Check domain still exists using external WHOIS tool 2. Review HTTP status - may indicate domain is offline 3. Wait for next daily snapshot (runs overnight UTC) 4. Check system logs for snapshot errors

Common Causes: - DNS Failure: Domain's nameservers are not responding - Domain Deleted: Domain expired or was deleted by registrar - Network Issues: Temporary connectivity problems during snapshot - Anti-Bot Measures: Domain blocking automated monitoring tools

Resolution: - Wait 24-48 hours for automatic recovery - If domain is permanently gone, remove from watchlist - Contact support if issues persist across multiple domains

Missing Change Detection¶

Symptoms: Domain has changed but no change events appear

Diagnosis Steps: 1. Verify domain has at least two snapshots (changes require comparison) 2. Check if change is actually significant (TTL changes are ignored) 3. Expand domain to view "Changes Detected" section 4. Review change detection logs

Common Causes: - Recently Added: Need 24-48 hours for initial baseline and first comparison - No Actual Change: Domain is stable, no modifications detected - Ignored Changes: Some changes (like TTL) are intentionally not tracked - Processing Delay: Change detection runs after snapshot completion

Resolution: - Wait 48 hours after adding domain for meaningful change detection - Stable domains won't show changes (this is expected) - Manually verify using external tools if critical

Filter Not Working¶

Symptoms: Filters don't reduce results or show incorrect domains

Diagnosis Steps: 1. Verify filter syntax (date must be YYYY-MM-DD) 2. Check if domains actually have changes (expand to verify) 3. Clear browser cache and reload 4. Try filter via API to rule out frontend issues

Common Causes: - Invalid Date Format: Using MM/DD/YYYY instead of YYYY-MM-DD - Empty Results: No domains match filter criteria (expected behavior) - Browser Cache: Stale React-Admin state - Backend Sync: Snapshot/change detection still processing

Resolution: - Use correct date format: 2025-12-25 (not 12/25/2025) - Verify changes exist on that date via expand panel - Clear filters and re-apply - Wait for next snapshot cycle if recently added

Email Notifications Not Received¶

Symptoms: Not receiving watchlist change notifications in daily emails

Diagnosis Steps: 1. Verify Alert Preferences → want_email is enabled 2. Check spam/junk folder for Monids emails 3. Verify watchlist actually has changes on alert date 4. Review email logs for delivery status

Common Causes: - No Changes: No domains had changes on alert date (notification suppressed) - Email Disabled: Alert preferences have want_email=False - Spam Filter: Email provider blocking alerts as spam - No Alerts: Daily alert email only sent when alert events exist

Resolution: - Enable email notifications in Alert Preferences - Whitelist noreply@monids.com in email provider - Watchlist changes only included when alert events also occur - Verify changes exist using watchlist filters

Alert Link Not Working¶

Symptoms: Clicking alert icon shows "Not Found" error

Diagnosis Steps: 1. Verify alert event still exists in database 2. Check if alert event was manually deleted 3. Review browser console for navigation errors 4. Try accessing alert events list directly

Common Causes: - Deleted Alert: Alert event was removed from system - Invalid Reference: Database integrity issue (rare) - Permission Issue: Alert belongs to different user - Navigation Bug: Frontend routing error

Resolution: - If alert was deleted, link will fail (expected behavior) - Alert link is supplementary - domain monitoring continues independently - Contact support if alerts are disappearing unexpectedly

Limits and Quotas¶

Watchlist Capacity¶

Performance Considerations¶

Large Watchlists (100+ domains): - Frontend pagination (25 per page) ensures fast loading - Backend uses select_related and prefetch_related for optimization - Filters reduce result set for better performance - No practical limit on watchlist size

Storage: - Snapshots stored indefinitely (disk space permitting) - Change events preserved for audit trail - Historical data enables trend analysis - Consider periodic cleanup of old/inactive domains

Snapshot Schedule¶

Daily Snapshot Process: 1. Trigger: Automated daily job (runs overnight UTC) 2. Execution: Asynchronous snapshot tasks per domain 3. Data Collection: DNS, WHOIS, HTTP status, SSL certificates 4. Change Detection: Comparison against previous snapshot 5. Notification: Change events created and queued for email

Timing: - Snapshots typically complete within 1-2 hours - Change detection runs immediately after snapshot - Email notifications sent in morning digest (6-8 AM UTC) - Exact timing may vary based on system load

Related Documentation¶

• Getting Started - System overview and initial setup
• Alerts - Configure domain monitoring alerts and keywords
• Interfaces - Email, Slack, and SIEM integration options
• REST API - Comprehensive API documentation for automation
• Alert Events - Understanding and responding to triggered alerts

Last Updated: 2025-12-25 Version: 2.0 Changelog: - Added change detection documentation - Added email notification integration - Added filtering and search capabilities - Added API documentation for watchlist operations - Updated UI screenshots and examples - Expanded troubleshooting section